about us

who we are

SCADACS is an organizational unit of the Secure Identity Research Group
(AGSI) at Freie Universität Berlin, led by Prof. Volker Roth. It comprises
research assistants and students of AGSI and student volunteers, some of
which are also part-time employees of security consulting firms.

research

Our research is directed at measuring and visualizing the attack surface of
cyber-physical systems, detecting and analyzing attacks on these systems,
developing interim protection mechanisms, and designing architectures for
secure cyber-physical systems.

education

We educate ourselves about the technology and best practices of industrial
automation so that we can help securing cyber-physical systems against
attacks. Through teaching courses and training we pass our experience to
students and future security professionals.

projects

All SCADACS members work on internal projects meant to expand our capability
to analyze and modify industrial protocols and systems. Through
collaboration and joint projects with industry and security consulting
firms, we strive to transfer our experiences into practice.

the risk

Unseen and unnoticed by most, cypher-physical systems enable
much of our modern society. From manufacturing to utilities to modern
building management, all of these systems are combinations of computers,
sensors and actuators that have a concrete impact on the world we perceive
and live in. Many of these systems are accessible over the Internet and
they are targets of attacks
[1, 2].
The
trend towards interconnecting these systems will grow as we move towards
greater integration and “smart” production. In rushing towards
“Industry 4.0”, there is a clear risk that, once again, technology is
put into place without proper design of protection mechanisms. However,
the future consequences will likely be more severe than they are already
today.

TR-069: Before and after the 2016/11 botnet attack that caused the Telekom AG outage in Germany.

Using data from censys.io and our data enrichment and analysis framework from the RiskViz project, we are able to show the distribution off all TR-069 devices in Europe before and after the attack. It is very easy to see that the Telekom attack has blocket the TR-069 TCP-Port 7547.

new attack vector published on Black Hat 2015

attack surface

Internet search engines often stumble upon cyber-physical
systems not meant to be accessible to unauthorized parties. Left shows a
particular flavor of industrial systems, geo-located on a map of European
countries. The data was obtained from the SHODAN search engine. However,
contemporary search engines miss part of the story because they do not
speak industrial protocols such as modbus and s7comm.

We have developed a versatile high-speed scanner and search
engine for industrial systems which is able to uncover and query
industrial systems that are under the radar of contemporary public search
engines. Systems found in this fashion are particularly vulnerable because
industrial protocols typically do not enforce access controls.
Consequently, adversaries can often obtain full control over these systems
and other devices connected to them.

anatomy of an attack

Equipped with the rights tools to find and access ICS,
adversaries can download and analyze the code on a programmable logic
controller (PLC). Adversaries can then analyze and modify the code and
load it back onto the PLC in order to perform sabotage. This
process can be performed online or it can be automated by means of malware that
infects engineering workstations, similar to Stuxnet.

attack proliferation

An old NSA quote says “Attacks only get better, not worse.” And
so do tools that support attacks. It would be foolish to assume that
sophisticated attacks will remain the privilege of a few skilled people or
state actors. Criminal markets have emerged that leverage economies of
scale. Where there is a demand for tools to attack cyber-pysical systems,
someone will eventually provide the tools and services to monetize
them.

Our Industrial Risk Assessment Map project is meant to visualize the
attack surface based on the input of search engines for cyber-physical
systems (CPS) and to communicate the threats of attack automation.
Cyber-physical systems can be selected according to various geographic and
system-specific criteria. Individual systems can be matched against
vulnerability databases and if an exploit is available, it is conceptually
easy to launch an attack with a single press of a button.

interim defenses

Companies are often oblivious to the fact that their ICS are
Internet-facing. We have seen cases were ICS were reachable behind
firewalls. Companies need to re-architect their networks to adapt to the
risk. In order to protect TIA engineering workstations (EWS) against PLC
malware, we have developed a Trusted Guard system. The Guard is plugged
in between an EWS and the industrial network, and it intercepts PLC code
en route from the EWS to the PLC. Using a trusted display, engineer can
verify independently that the code is free of malicious modifications, by
comparing it visually to a prior version. Turning a key while holding a
button allows the upload to proceed whereas just turning the key aborts
the upload. The Guard would have been effective against Stuxnet.

education and training

SCADACS runs a hacking lab equipped with EWS, PLCs and miniature
models of industrial production systems. All members have access
to the lab so that they can continuously educate and train
themselves. We offer interested students a practical introductory
course on SCADA/ICS systems on an annual basis. At the beginning
participants learn how to program these systems from the
perspective of an engineer. Then we show how ICS systems can be
compromised and develop countermeasures to prevent this.